>Number: 39392
>Category: lib
>Synopsis: Document that strftime() is broken by design
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: lib-bug-people
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Fri Aug 22 17:35:00 +0000 2008
>Originator: Christian Biere
>Release: NetBSD 4.99.68
>Environment:
System: NetBSD cyclonus 4.99.68 NetBSD 4.99.68 (G3N3R1C) #6: Tue Jul 1 10:36:25
CEST 2008
src@cyclonus:/quark/NetBSD/obj/quark/NetBSD/src/sys/arch/i386/compile/G3N3R1C
i386
Architecture: i386
Machine: i386
>Description:
strftime() is inherently broken by design due the way it indicates
errors as specified by POSIX. As it returns 0 on error, the error
indicator overlaps with successful operation, namely when the format
gains an empty string. This can, for example, happen by passing an
empty string as format specifier or using "%p" in a locale in which
there are no AM/PM equivalents. Furthermore, POSIX declares the content
of the destination buffer as indeterminate if 0 is returned. That means
accessing the buffer causes undefined behavior. Relying on errno is not
portable because the specification does not mention it. Hence there's no
way to differ between success and error in this case.
>How-To-Repeat:
$ date +
date: Cannot allocate format buffer: Cannot allocate memory
$ date +%p # In a locale without AM/PM equivalents
date: Cannot allocate format buffer: Cannot allocate memory
FWIIW, on FreeBSD there are no such error messages because /bin/date
simply ignores the return value of strftime().
>Fix:
It's not possible to fix this because it's broken by design.
The BUGS section of strftime(3) should be extended by a hint:
A return value of zero does not necessarily indicate an error. If
the resulting string is the empty string, the result value is
zero and it is not possible to differ between success and error.